Steve Marquess wrote:
Mark Phalan wrote: ...
> Due to the way the FIPS Capable OpenSSL is built it ends up with
> older implementations of ciphers (all the ones that fipscanister.o
> implements). These cipher implementations are used regardless of
> being in FIPS mode or not.
Ummm, not so. Use the OpenSSL FIPS Object Module v1.2 (the
fipscanister.o part *only*, throw the rest away!) along with a
current version of OpenSSL 0.9.8 for everything else. That way the
old but validated crypto implementations in fipscanister.o are used
in FIPS mode, the standard unvalidated (and current) ones in 0.9.8k+
are used when not in FIPS mode.
The FIPS capable build process is discussed in the User Guide
document noted above.
Mark, on reflection and a gentle reminder from Steve Henson I realize
I've rather bungled this answer above. Rather than repeat my earlier
mistake of banging out a quick response on the fly I'll give a more
thoughtful statement when I can give it the attention it deserves
(hopefully over the weekend).
> ...
>
> I'm new to the list so if these things have been discussed before
> feel free to send me to an archive of that previous discussion.
Yes, but this is tricky stuff, complex crypto compounded with
unintuitive policy requirements, so please feel free to ask.
Yes, tricky indeed :-)
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
